Giter VIP home page Giter VIP logo

ipsk-manager's Introduction

Identity PSK Manager for Cisco ISE

Identity Pre-Shared Key(PSK) Manager that simplifies the management and provisioning of unique PSK to devices within your environment. This is a standalone application which integrates with Cisco ISE through an ODBC Connection and Cisco ISE's APIs.

Overview

Identity PSK ("IPSK") Manager for Cisco ISE provides a way to manage the full Life Cycle of Pre Shared Keys for supported Hardware/Software through Cisco ISE.

The sample code provided is designed to integrate with Cisco ISE via ODBC, External RESTful Services (ERS) API, and Monitoring API.

In addition, both the 'Sponsor' & 'Captive' Portals can be customized. You can edit the existing templates or create new ones that can be added to the manager.

The ODBC Connection provides the core functionality between IPSK Manager and Cisco ISE, while the API's are for other minor functionality such as performing Change of Authorizations ("CoA") and creation of Authorization Profiles for IPSK Captive Portals.

Features

Identity PSK Manager enables the following features/functionality:

  • ODBC Integration with Cisco ISE as an External Identity Source
  • Cisco ISE ERS API Integration
  • Cisco ISE Monitoring API Integration
  • Internal iPSK Identity Store for Management of Administration & Portal Access
  • SAML & Active Directory Authenication Capable
  • Customizable Authorization Profiles (Unique or Random PSK on a per Device or User basis)
  • Customizable Endpoint Groups
  • Customizable Portal Groups
  • Customizable Sponsor & Captive Portals

What's New (May 2024)

  • Refreshed Sponsor Portal Pages
  • Refreshed Captive Portal Pages
  • Automated Update Process
  • Support for running iPSK Manager in a Docker Container

What's New (April 2024)

Technologies & Frameworks Used

Cisco Products:

  • Cisco ISE v2.4+

Tools & Frameworks:

  • Bootstrap v5.3.3
  • jQuery v3.7.1
  • feathericon
  • Chart JS v4.4.2
  • ClipBoard Copy v2.0.11
  • DataTables v2.0.5

We would like to thank all the authors & contributers on the previously mentioned Tools & Frameworks!

The Documentation and Guides available from these tools, contained the details needed to bring this Application to life. Below are links to references used for the above Tools & Frameworks:

Prerequisites

  • Cisco ISE v2.4+ (Tested with ISE 3.3)
  • Apache Web Server
  • PHP 8.0+ (Tested with PHP 8.3)
    • Required Modules: mbstring, ldap, mysqli, mysqlnd, curl, simplexml, xml, sodium, and json
  • MySQL or MariaDB (Tested with MySQL 8.1)

iPSK Manager Installation

Ubuntu 22.04.x LTS

  1. After installing Ubuntu OS, make sure the system is up-to-date:
admin@ubuntu:~$ sudo apt-get update
admin@ubuntu:~$ sudo apt-get upgrade
  1. After updating Ubuntu OS, install Apache2, PHP7, MySQL server, and additional modules:
admin@ubuntu:~$ sudo apt-get install php apache2 mysql-server php-mysqlnd php-ldap php-curl php-mbstring php-xml
  1. Enable Apache Modules:
admin@ubuntu:~$ sudo a2enmod rewrite
admin@ubuntu:~$ sudo a2enmod ssl
  1. Download iPSK Manager from GitHub
admin@ubuntu:~$ sudo git clone https://github.com/CiscoSE/iPSK-Manager.git /var/www/iPSK-Manager
[sudo] password for admin: 
Cloning into '/var/www/iPSK-Manager'...
remote: Enumerating objects: 13, done.
remote: Counting objects: 100% (13/13), done.
remote: Compressing objects: 100% (13/13), done.
remote: Total 261 (delta 6), reused 0 (delta 0), pack-reused 248
Receiving objects: 100% (261/261), 311.44 KiB | 2.29 MiB/s, done.
Resolving deltas: 100% (141/141), done.
admin@ubuntu:~$
  1. (Recommended) Run post installation script for MySQL
admin@ubuntu:~$ sudo mysql_secure_installation utility

Note: For more information on the MySQL or MariaDB secure installation utility, please review:

  1. (Recommended) Instead of using MySQL root account, a temporary 'install' account can be created to install the iPSK Manager then removed once completed
admin@ubuntu:~$ sudo mysql -p
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1080
Server version: 5.7.27-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> CREATE USER 'install'@'%' IDENTIFIED BY '{SOME PASSWORD}';
mysql> GRANT ALL PRIVILEGES ON *.* TO 'install'@'%' WITH GRANT OPTION;
mysql> FLUSH PRIVILEGES;
mysql> exit
  1. Change owner of the iPSK-Manager directory (Showing example of Ubuntu distribution which uses www-data user and group for the apache process)
admin@ubuntu:~$ cd /var/www
admin@ubuntu:~$ sudo chown www-data:www-data -R iPSK-Manager

  1. It is recommended to use SSL for security and subsequent section describes how to enable SSL. However, if no certificate is available,follow the instructions in the Appendix on how to use non-SSL port for the portals

  2. (Recommended) Create self-signed certificate using OpenSSL or external tools. You will need private key, signed certificate, and CA chain if applicable

  3. (Recommended) Enable SSL for admin portal. There are sample apache configuration files for the admin portal and end user portal located at the root of the install directory called 'portal-ssl.sample.conf' file. There are 3 sections in the file for admin portal and also for enabling port 8443 & 8445 for SSL. You can simply copy each section in to separate files and place them in '/etc/apache2/sites-enabled' to get it enabled. Aside from that you need to make sure to update the path and file names for the certificate. First for admin portal create a file called '443-ssl.conf' with following content:

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@ipskmanager

DocumentRoot /var/www/iPSK-Manager/adminportal

<Directory /var/www/iPSK-Manager/adminportal>
AllowOverride All
</Directory>

ErrorLog ${APACHE_LOG_DIR}/admin-error.log
CustomLog ${APACHE_LOG_DIR}/admin-access.log combined

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /path/to/my/ssl.crt
SSLCertificateKeyFile /path/to/my/ssl.key

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile /path/to/my/ssl.chain

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>

</VirtualHost>
</IfModule>

Note: Make sure to modify the path and file name for the certificate, private key, and the certificate chain

  1. (Recommended) Enable SSL for end user portal port. Next for end user portal create a file called '8443-ssl.conf' with following content:
<IfModule mod_ssl.c>

Listen 8443

<VirtualHost *:8443>

ServerAdmin webmaster@ipskmanager

DocumentRoot /var/www/iPSK-Manager/portals

<Directory /var/www/iPSK-Manager/portals>
AllowOverride All
</Directory>

ErrorLog ${APACHE_LOG_DIR}/portal-8443-error.log
CustomLog ${APACHE_LOG_DIR}/portal-8443-access.log combined

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /path/to/my/ssl.crt
SSLCertificateKeyFile /path/to/my/ssl.key

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile /path/to/my/ssl.chain

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>

</VirtualHost>
</IfModule>
  1. (Recommended) Once SSL is enabled restart apache. This time you will be asked to enter password to access the private key file if your private key is encrypted:
admin@ubuntu:~$ sudo systemctl restart apache2
Enter passphrase for SSL/TLS keys for 127.0.1.1:443 (RSA): *********
admin@ubuntu:~$

  1. Run setup via browser. Open web browser from any machine and go to the IP or hostname (If DNS is already setup) of the IPSK Manager host: https://portal.authc.net or https://192.168.201.90/

  2. You will be greeted with setup screen, click Next and accept the license agreement page and click Next to continue with setup

  3. Installer will also make sure that required PHP modules are installed, if any of the modules are missing go back to the CLI and make sure they are installed and rerun the Installer

  4. Accept default values or change values as needed

Field Name Sample Entry Note
mySQL Server IP/FQDN 127.0.0.1
iPSK Database Username ipsk-db-user A random password will be generated at the end of installation process
Cisco ISE ODBC Username ipsk-ise-user This is the username ISE will use for SQL connection. A random password will be generated at the end of installation process
iPSK Database Name ipsk
MySQL Admin/Root Username install If using temporary MySQL install account, if not use root account
MySQL Admin/Root Password ******** If using temporary MySQL install account, if not use root password

  1. You will also be asked to create local GUI administrator account password

  2. If the install fails, please make sure to go through the steps above to see any of the steps were missed

  3. At the end of setup process, it will automatically download a txt file called 'DONOTDELETE-iPSKMANAGER-Install.txt' which contains the database details including username & password needed for ISE communication such as following:

#Copyright 2021 Cisco Systems, Inc. or its affiliates
#
#Licensed under the Apache License, Version 2.0 (the "License");
#you may not use this file except in compliance with the License.
#You may obtain a copy of the License at
#
#  http://www.apache.org/licenses/LICENSE-2.0
#
#Unless required by applicable law or agreed to in writing, software
#distributed under the License is distributed on an "AS IS" BASIS,
#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#See the License for the specific language governing permissions and
#limitations under the License.

########################################################
## iPSK Manager
## DO NOT DELETE THIS DATA - STORE IN A SECURE LOCATION
## THIS FILE CONTAINS DETAILS ABOUT YOUR INSTALLATION
########################################################

#Organization SID for iPSK Manager
#---------------------------------
Organization (System) SID Value = S-1-9-1569991369-1569991369-1

#Encryption Key for Encrypting MySQL Sensitive Data
#--------------------------------------------------
Encryption Key = AipsBSIhIJ+TnwsYkLlw1fTPSXc/siDQoP8YaTWZNpY=

#iPSKManager Database Credentials
#--------------------------------
Host = 127.0.0.1
Username = ipsk-db-user
Password = t@DKrkNyZhvXnUTd
Database = ipsk

#Cisco ISE MySQL Credentials
#---------------------------
Username = ipsk-ise-user
Password = e1YV3JefcDQut8g
Database = ipsk

#Cisco ISE Stored Procedures Names
#---------------------------------
iPSK_AttributeFetch
iPSK_AuthMACPlain
iPSK_FetchGroups
iPSK_FetchPasswordForMAC
iPSK_MACLookup

###OPTIONAL### Cisco ISE Replacement Stored Procedures for returning only Non-Expired Endpoints Contained within the iPSK Database
#---------------------------------------------------------------------------------------------------------------------------------
iPSK_AuthMACPlainNonExpired
iPSK_FetchPasswordForMACNonExpired
iPSK_MACLookupNonExpired

Note: Keep this file safe in case iPSK Manager needs to be restored or new ISE / iPSK Manager integration is needed

  1. You should be redirected to the iPSK Manager login page where you can enter the credential (default GUI admin username is "administrator") created during the setup to login to proceed with iPSK Manager configuration

  2. Allow SQL connection from other hosts, by editing the '/etc/mysql/mysql.conf.d/mysqld.cnf' file. Find the line 'bind-address = 127.0.0.1' and add '#' at the front to remark it. Also, add the following line 'default_authentication_plugin=mysql_native_password' to enable mysql native passwords so ISE can connect to MySQL 8.x.

Note: Please make sure to utilize MySQL security best practices such as firewall rules and limiting MySQL user to specific hosts as above bind address change allows SQL access from all hosts.

  1. Restart MySQL service by running "sudo systemctl restart mysql"

  2. Reset the ISE MySQL credential with mysql_native_password to make it compatibe with ISE

admin@ubuntu:~$ sudo mysql -p
mysql> ALTER USER 'ipsk-ise-user'@'%' IDENTIFIED WITH mysql_native_password BY '{PASSWORD}';
mysql> FLUSH PRIVILEGES;
  1. (Optional) If temporary MySQL account was created in previous step, run the following to remove the 'install' account
admin@ubuntu:~$ sudo mysql -p
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1080
Server version: 5.7.27-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'install'@'%';
mysql> FLUSH PRIVILEGES;
mysql> DROP USER 'install'@'%';

To configure ISE and WLC for iPSK Manager Click Links Below:

[ISE Configuration] [WLC Configuration]

Appendix

Keeping iPSK Manager up to date

The automated process documented in this section only applies with versions of iPSK Manager that are installed on your system that have this section in the README.

When there is an update to the Git repository, local iPSK Manager deployment can be updated without reinstallation. We recomend you periodically update your iPSK Manager deployment so you get all the latest features and fixes. You can choose to automate the update process by creating a cron job.

To use this upgrade method you need to copy the config.php file from the supportfiles/include directory to someplace outside the iPSK Manager source code. Automatic restoration of the config.php file will take place after upgrades if the config.php file is placed in the /opt/ipsk-manager directory on your host running iPSK Manager.

  1. You should have regular backups of the database, installation directory, and config.php file to restore from if there is a upgrade failure.
  2. Copy the config.php file to /opt/ipsk-manager, you will need to create this directory. You only need to copy this file once and if you make changes to it.
admin@ubuntu:~$ sudo mkdir /opt/ipsk-manager
admin@ubuntu:~$ sudo cp /var/www/iPSK-Manager/supportfiles/include/config.php /opt/ipsk-manager
  1. Go to iPSK Manager install directory
admin@ubuntu:~$ cd /var/www/iPSK-Manager
  1. Pull repository
admin@ubuntu:~$ sudo git pull
  1. After the repository is pulled open a web browser to the URL of the Admin Portal of iPSK Manager. The installer script will detect your config.php in the backup directory (/opt/ipsk-manager) and automatically copy it, remove the installation files, and redirect you to the login screen. At this point your iPSK Manager installation has been updated.

(Experimental) GUI Logging

Logging via GUI can be enabled by editing the 'additionalmenus.json' file in /var/www/iPSK-Manager/supportfiles/adminportals/modules/ directory. Change the "menuEnabled" flag at the end to 1 (default is 0) as shown below and refresh admin GUI and you will see 'System Logging' option visible just below 'About' settings. Note that logging view currently lacks few features to make it useable beyond basic troubleshooting.

{"0":{"id":"menuLogging","module":"logging","data-feather":"flag","menuText":"System Logging"},"menuItems":1,"menuEnabled":1}

Note: Rest of the logging settings are under Platform Configuration > Advanced Settings and Logging Settings

Use non-SSL port for admin and end user portal

It is recommended to use SSL for security and main section of the document describes how to enable SSL. However, if no certificate is available, port 80 request to admin portal can be used by creating a file called '80.conf' with following content and placed in '/etc/apache2/sites-enabled' directory:

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

ServerAdmin webmaster@localhost
DocumentRoot /var/www/iPSK-Manager/adminportal

<Directory /var/www/iPSK-Manager/adminportal>
AllowOverride All
</Directory>

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

</VirtualHost>

Note: May need to remove default config file in the '/etc/apache2/sites-enabled' directory

Next, point port 8080 request to end user portal by creating a file called '8080.conf' with following content and place it in '/etc/apache2/sites-enabled' directory:

Listen 8080

<VirtualHost *:8080>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

ServerAdmin webmaster@localhost
DocumentRoot /var/www/iPSK-Manager/portals

<Directory /var/www/iPSK-Manager/portals>
AllowOverride All
</Directory>

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

</VirtualHost>

Note: Within iPSK manager admin portal, go to Portals and make sure the end user portals are configured with port 8080

Lastly, restart apache service:

admin@ubuntu:~$ sudo systemctl restart apache2

SAML Authentication Support

SAML authentication is available for authentication in admin, sponsor, and captive portals. iPSK-Manager does not act as a SAML SP and requires an external SP to interact with your SAML IDP (such as the Apache module mod_shib). After successful SAML Authentication, Apache sets either an Apache Environment Variable or a Header. By default, the Header option is disabled, and the Environment Variable used is REMOTE_USER, but it can be changed. Settings for SAML are located in Platform Configuration.

Users authenticated with SAML still need to be in either the internal database or an LDAP database and assigned to groups for Authorization. For internal database users, the password can be set to any value as users will never login with a password. The user store for captive and sponsor portals Authorization is based on the portal configuration. For admin portal Authorization, it defaults to the internal database. To use LDAP Authorization for the admin portal, enable the setting in Platform Settings and choose which LDAP directory to use; only one LDAP directory is supported for admin portal LDAP Authorization.

NOTE:

  • There is no backdoor login support when SAML is enabled. If you need to gain access to a system with broken SAML authentication edit the DB manually to disable SAML authentication.
  • Use of headers for SAML authentication verification should be used with caution and protective measures should be made to make sure a user can not inject the header used for SAML authentication.

Using Shibboleth (mod_shib) as Service Provider (SP)

Install mod_shib from Ubuntu package repository. Note, as of this writing there is a bug where a bogus message about using a Apache 1.3 module will appear in the logs. This bug is documented at [https://bugs.launchpad.net/ubuntu/+source/shibboleth-sp/+bug/1984194]

admin@ubuntu:~$ sudo apt-get install libapache2-mod-shib

Configure the Shibboleth SP to your environment based on Shibboleth documentation. The user attribute should only contain the username for iPSK-Manager to work properly with SAML authentication.

The necessary lines of configuration are already present in .htacess files within the iPSK Manager file structure for using the Shibboleth Apache plugin module. Once the module is enabled in Apache the configuration will become active. You will still need to enable SAML from within the iPSK Manager Platform Configuration settings an also do any necessary steps to the Apache configuration that are required for SP operation.

Active Directory Nested Group Support

Active Directory nested group support can be enabled in the Platform Configuraton menu. Enabling support will enable it for all portals (admin, captive, and sponsor) as well as all configured LDAP directories in the system.

NOTE:

  • To support nested groups, the LDAP process goes through each group assigned to a user and searches those groups to see if it is a member of another group. Depending on the number of groups assigned to a user and how many of those groups are nested groups, there could be a noticeable delay in logging in. The use of nested groups should be avoided if possible.

Authors

  • Gary Oppel
  • Hosuk Won
  • Nick Ciesinski

License

This project is licensed to you under the terms of the Apache License, Version 2.0.

Copyright 2024 Cisco Systems, Inc. or its affiliates

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

ipsk-manager's People

Contributors

ciesinsn avatar cisco-garyoppel avatar david00 avatar garyoppel avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

david00 angomablaise larsrei cvetsd uck9 tubbz-alt jcc264 garyoppel hosuk-cisco hosukw stephanblanke benjads pourmirza jamesoft145

ipsk-manager's Issues

DB Stored Procedure Failing

Describe the bug
Stored procedure iPSK_AuthMACPlainNonExpired fails with the following error.
ERROR 1054 (42S22): Unknown column 'users.password' in 'where clause'

To Reproduce
LDAP is not configured, only internal users.

OS Info:
RHEL 8.3
MySQL 8.0.23

Cannot get the iPSK Page to run as expected

I installed a clean Version on an Ubuntu 20.04 LTE.

After I set up Apache, PHP and so on. I only get a list of the directory to run when I open the Browser.
grafik
And this I only managed to get after I entered the following in the /etc/apache2/sites-enabled/000-default.conf :
DirectoryIndex index.php

Clicking on the "adminportal" Folder will get me into the installer. From there I can complete further the steps in the "Installation".

But, after finishing with the installer things, I still cannot get the main page to work so, I click on the adminfolder again. This gets me to enter the username and password (as written in Step 20).
But once I do it I get the following error:
grafik

So the question here is if there are some additional Settings that need to be entered which are not described in the Doku or is this a Bug of some sort?

DB stored procedure returns incorrect results to Cisco ISE

DB stored procedure returns incorrect results to Cisco ISE

iPSK Manager's stored procedures play a key role in how ISE handles the requests for access.

Affected Stored Procedures

  • iPSK_MACLookup
  • iPSK_MACLookupNonExpired

Procedures execute the following SQL Statements and return the results to ISE when an Endpoint is Disabled, causing ISE to continue to the next Identity Store within the Identity Sequence

SELECT 3, 0, 'odbc','ODBC Authen Error';

This causes the DB to always return an incorrect response when an endpoint is either disabled or expired.

Expected Results
The affected stored procedures should return the proper response according to the status of the endpoint within the iPSK Manager Database.

Update the Stored Procedures as per the Credential Check for ODBC Database section located at Cisco ISE's ODBC Identity Source Documentation

Filtering & bulk editing of endpoints

Is your feature request related to a problem? Please describe.
To be honest... I don't think so :)

Describe the solution you'd like
It would be nice if you could filter or search for all configured endpoints using one or more attributes and carry out mass changes or deletions on them.

Describe alternatives you've considered
Such changes are currently only possible with direct database access. However, this is not a viable solution for the actual portal users and contradicts the actual purpose of the portal..

Add pinpoint for CSV import failures (i.e. illegal character at line X)

Is your feature request related to a problem? Please describe.
Not necessarily a problem, as the issue I originally reported has been fixed. However, in my implementation there are a lot of users using the portal that are not technical. When they go to import a CSV, sometimes it might fail with an illegal character or some other error, but there's no description to the user of where to look for that error. This seems to be more common when copying and pasting values into the CSV from other sources that may have formatting or other funky unexpected attributes.

Describe the solution you'd like
It would be nice to have the failure read out what line the issue is at. I.e. illegal character at line 20, even better if it could tell you the error is in field "fullname". Having an option to either stop the import at the first error or log the error and continue importing would be cool too.

Describe alternatives you've considered
No real workaround, other than trial and error for the user or myself with the file.

Additional context
Add any other context or screenshots about the feature request here.

Bulk import issue

Describe the bug
It fails when trying to do the bulk import with the error: "The Endpoint Import has failed. (Error message: Unable to create associations for endpoints)" however - there are green icons by the MAC addresses itself and I noticed that endpoints are added to the "endpoints" table but not to the "endpointAssociations" one.

To Reproduce
Steps to reproduce the behavior:
Use "Bulk import" feature with CSV file.

Expected behavior
Register a group of MAC addresses.

Screenshots
image

Desktop (please complete the following information):

  • OS: Win11
  • Browser: Edge, Firefox

Port enhancement from commit 458bc66 and issue #30 to the sponsor portal pages

Is your feature request related to a problem? Please describe.
The fix for the illegal character handling that was applied to the admin portal needs to be applied to the other portals as well.

Describe the solution you'd like
Per Nick, Port enhancement from commit 458bc66 and issue #30 to the sponsor portal pages

Describe alternatives you've considered
No real other alternative.

Add input validation on installer to avoid iPSK database user and ISE ODBC user to be the same (leads to "Creation of Cisco ISE MySQL user failed")

Issue

On installer, if "iPSK database username" and "Cisco ISE ODBC Username" have the same values, the install script indeed tries to create 2 mySQL users with the same username, which leads to the "Creation of Cisco ISE MySQL user failed" error.
(On backend, mySQL error 1396).

Suggested solution

Add data validation on the installer form to avoid those 2 values to be the same.

First endpoint created in a new deployment does not show up in the endpoint list.

This is an issue stemming from my PR (#22) which added searchable tables to the endpoint list.

In a brand new iPSK Manager deployment, the first endpoint you create will not show up in the table, at all. The next endpoint, and all future endpoints will show up, but the first one never will. (Technically, it did show up, but it was showing up as "Suspended" with no other details. I "fixed" it in dd68cc3 by hiding the Suspended entry as described here: #22 (comment))

This was a mis-diagnosis of the root cause - it turns out, my pagination implementation removed the $pageStart variable, which is referenced when initializing the loop that builds the endpoint table.

PR with fix coming shortly.

Not able to login with LDAPS

After the latest install I am not able to login with LDAP(S) anymore.
The error message I get is this:

PHP Notice: Undefined variable: authorizedGroups in /var/www/iPSK-Manager/adminportal/login.php on line 135, referer:

To reproduce:
From login page: Type username and password and choose the configured LDAPS server as source.
Click Sign In.

LDAPS connection is working. When clicking Test on the Connection name (under LDAP servers) it reports success.

Modal verification not working properly

With the update to Bootstrap 5 changes where made to the code within the modal pages to close the modal and not lock the scrolling on the screen. The result of that change made it so when the validator shows a error the user will not see it as the modal closes.

Need to remove the modal close logic added to the update button and cleanly close the modal after the successful processing of the modal add/edit function instead.

Individual endpoint column filters broken

Endpoint column filters other then the first column do not work after commit 12f4f5a and 8503b62 when supporting frameworks were bumped to newer versions.

The following two code snip $(this).parent().index() is returning 0 for any filter column field user types into when it should be returning the proper column number the user is typing into.

iPSK-Manager/supportfiles/adminportals/modules/endpoints/endpoints.inc.php

Lines 219 to 225 in c331411

var table = $("#endpoint-table").DataTable();
$("#endpoint-table thead #endpoint-table-filter input").on( 'keyup change', function () {
table
.column( $(this).parent().index()+':visible' )
.search( this.value )
.draw();
} );

iPSK-Manager/supportfiles/portals/sponsorportal/default/manage.inc.php

Lines 448 to 455 in c331411

var table = $("#endpoint-table").DataTable();
$("#endpoint-table thead #endpoint-table-filter input").on( 'keyup change', function () {
table
.column( $(this).parent().index()+':visible' )
.search( this.value )
.draw();
} );
} );

All endpoints get the same PSK when performing a bulk CSV File Import

Describe the bug
When perfoming a bulk import of new endpoints all imported endpoints do get the same randomized PSK (even when "Unique PSK per Device" was configured in the choosen authorization template.

To Reproduce
Steps to reproduce the behavior:

  1. Go to 'Managed iPSK EndPoints'
  2. Click on 'Add Bulk Endpoints'
  3. Select a authorization template with configured "Unique PSK per Device"
  4. Select a wireless SSID
  5. Select "CSV File Import" as bulk import type
  6. Upload CSV file created with the import_sample.csv
  7. Click on "Import"

Expected behavior
Each entry in the CSV-File creates one endpoint based on the authorization template with a unique PSK for each endpoint.

Ubuntu 20 Failing Installation

During installation on Ubuntu 20 the blow error is seen during the initial installation wizard.

ipsk-manger-failure

I assumed this was an error on my part the first time or two. After the third or fourth time, I realized that it wasn't me. I attempted to completed on Ubuntu 18 and the same steps worked without niche.

  • OS: Ubuntu 20
  • Browser: Firefox
  • Version

iPSK-Manager Fails to create DB

Describe the bug
I am installing iPSK-Manager on ubuntu 22.04-LTS Server and cannot create the iPSK Database.

To Reproduce
Steps to reproduce the behavior:

  1. Following the Install readme on Github. I got to the install.php
  2. Filled in all details as per suggestions
  3. Create Admin Password Click Next
  4. Click Install
  5. Get 500 Error
    Expected behavior
    should create a DB and continue to install iPSK-Manager
    Screenshots
    image
    image
    image
    image
    image
    image
    image
    image

Server (please complete the following information):

  • OS:
    DISTRIB_ID=Ubuntu
    DISTRIB_RELEASE=22.04
    DISTRIB_CODENAME=jammy
    DISTRIB_DESCRIPTION="Ubuntu 22.04.1 LTS"

Desktop
OS: Windows 10 22H2
Browser: Edge
Additional context
Add any other context about the problem here.

RHEL Admin Portal Menu Not Showing

Describe the bug
No menus appear after logging in to the admin portal. Only the Navbar is displayed at the top of the page.

To Reproduce
After a new install, the admin portal appears blank. A 500 error is reported in developer tools console.

Expected behavior
The configuration menus should be displayed

Environment:

  • OS: RHEL 8.3
  • PHP 7.2

Additional context
The following error is reported in /var/log/php-fpm/www-error.log

PHP Fatal error: Uncaught Error: Call to undefined function json_decode() in /var/www/iPSK-Manager/adminportal/adminportal.php:148

The problem is subsequently resolved by installing php-json package and restarting the httpd service.

Add config.php to gitignore

Is your feature request related to a problem? Please describe.
To make git pull upgrades more clean add config.php to .gitignore

Describe the solution you'd like
Add supportfiles/include/config.php to the .gitignore

MySql 8 installation GRANT fails

In installer.inc.php the GRANT to mysql.proc fails as that table has been finally retired.

$iseSqlPermissions[3] = "GRANT SELECT ON mysql.proc TO '{$_SESSION['iseusername']}'@'%'";

What are the thoughts on removing that line as the stored proc permissions should be granted by SELECT permission on the database.

accountEnabled | Attribute | OBDC Connection

accountEnabled is not an attribute that can be pulled via the OBDC connection when connecting to ISE. This would be helpful to be able to validated an account is suspended or not.

Currently a suspended account and expired account can still connect.

Add SAML / Shibboleth Support

It would be nice to have SAML / Shibboleth support for IPSK Manager. We have a company policy that requires apache and iis servers to use SSO authentication for users. This can be done via basic apache auth and using shibboleth plugin. Once authenticated user info can be looked up in AD via SLDAP or via the shibboleth headers.

We are trying to utilize a common SSO page and authentication process for corporate users to help decrease confusion for untrusted sites.

Please see shibboleth site: https://www.shibboleth.net/community/

unable to reference accountEnabled attribute

I am unclear on how to reference the "accountEnabled" attribute.

If i suspend the endpoint, ISE still lets it on the network. If I add the iPSK manager attribute "accountEnabled = 1" to the authorization policy that is already looking for the endpoint's device group, the rule stops working.

How do i get this to work?

Using the following.
iPSK_AuthMACPlainNonExpired
iPSK_FetchPasswordForMACNonExpired
iPSK_MACLookupNonExpired

Ubuntu 22.04.4 LTS
MySQL 8.0.36-0ubuntu0.22.04.1
PHP 8.1.2-1ubuntu2.17
ISE 3.2.0.542 patch 3.4

Account expiration in iPSK

Hi,

It seems that the expiration date in mysql is set to number and not in date format. This is no problem really, but the expiration itself is problematic.
The field "accountExpired" is always set to "False". If the expiration date is due, the portal shows "Account Expired" - but the mysql field "accountExpired" is not updated. The accountExpired is also a radius attribute, but using this has no use, as the field accountExpired never change (from "False").

So there is really no way to exclude the expired account/device except deleting it.

//Bjorn

Internal Group Duplicate Name

When adding a new internal group if the group name is the same as a existing name when save is pressed a error module error will appear on the screen. This is because the group name is set to be a non-duplicated key in the database. Need to present a better error experience to user.

Deleted Endpoint Groups still assignable

Describe the bug
Deleted endpoint groups can still be assigned to endpoints from the admin portal (via edit endpoint).

To Reproduce

  1. Create an endpoint group and delete it.
  2. Edit an endpoint from 'Manage iPSK Endpoints' in the admin portal.
  3. Edit the endpoint grouping
  4. Choose a deleted endpoint group from the list.

Expected behavior
Deleted endpoints should not be visible.

Additional context
Endpoint groups are not deleted from MySQL, but instead the visible attribute is changed to 0. This behavior also makes these deleted groups searchable from ISE.

HTTP Error 500 During Install

Describe the bug
On step 6 of the admin portal install, an http 500 error is returned. The setup does not complete.

To Reproduce
After confirming database settings in step 5 of the setup wizard, the next page returns a generic 500 error page.

Expected behavior
Step 6 should provide status information about application setup.

Additional context
Problem encountered on RHEL 8.3

The issue appears to be related to the generateEncryptionKey function in installer.php. SODIUM_CRYPTO_SECRETBOX_KEYBYTES is not a recognized parameter.

Install script SODIUM_CRYPTO_SECRETBOX_KEYBYTES missing/password complexity

Install.php fails because SODIUM_CRYPTO_SECRETBOX_KEYBYTES is not defined under Centos 8.1.1911 with PHP 7.2.11

Similar to this post

In addition:
With mysql secure installation the function to generate random password randomly can generate password not meeting the complexity criteria, resulting in failure to create mysql user.

Default complexity rules for MySql 8 are:
mysql> SHOW VARIABLES LIKE 'validate_password%';

+--------------------------------------+--------+
| Variable_name | Value |
+--------------------------------------+--------+
| validate_password.check_user_name | ON |
| validate_password.dictionary_file | |
| validate_password.length | 8 |
| validate_password.mixed_case_count | 1 |
| validate_password.number_count | 1 |
| validate_password.policy | MEDIUM |
| validate_password.special_char_count | 1 |
+--------------------------------------+--------+

A very bad hack is to simply append mixed case, number and special char to the random password, but clearly that is not very secure.

OS: CentOS 8.1.1911
Mysql: 8.0.17

Add additional columns to the Sponsor Portal

Additional columns for the Admin was created (like description) and that it working like a charm. (in #31)
It would be great if we also could get the possibility to have those extra columns on the sponsor portal.

In other words the request is to get the same functionality regarding the extra columns for the sponsor portal, that the Admin portal already have got.

Doku is reffering to an Appendix

Describe the bug
Step 8. says the following:
It is recommended to use SSL for security and subsequent section describes how to enable SSL. However, if no certificate is available,follow the instructions in the Appendix on how to use non-SSL port for the portals

There are no Appendixes as far as I can see.

LDAPS failed

Hi there,

Please could you help us with LDAPS. In the iPSK app we get "failure" but are unable to work out why.

We have tried using the ldapsearch tool with the following result.

Thanks in advance

ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP cutomerserver.LOCAL:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying serverip:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
tls_write: want=407, written=407

---- cert --

tls_read: want=5 error=Connection reset by peer
TLS: can't connect: Error in the pull function..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Ubuntu 18.04 with mysql 5.7 - Fails to install

Followed the guide to install, but Installations fails!

--> Creation of iPSK Manager MySQL User Failed
--> iPSK Manager Installation Failure

The installation failed to finish correctly. Please re-run the installation again.

LDAPS not working

ldap works fine
ldaps does not work
there seems to be an issue with the secure Ldap checkbox in the GUI.
When adding a LDAP Server the checkbox for secure LDAP always resets to unchecked, after applying the setting.

tcpdump shows that port 389 is used.

but i was able to set the value in the mysql db.

mysql> select * from ldapServers;
mysql> update ldapServers set adSecure = 1 where adSecure = 0;

that works, tcpdump shows that connection is now on port 636.

unfortunately, i get an authentication error.

I doublecheck with "ldapsearch" that the ldap server accessable via ldaps, this only works with the option "LDAPTLS_REQCERT=never", as i did not install the server certs. (and i prefer not to)

I assume that ipsk manager fails to authenticate agains ldaps because it also lacks the server certificates.

I tried to modify the BaseLDAPClass.php, so that it ignores any certificates:

ldap_set_option($ldapConnection, LDAP_OPT_DEBUG_LEVEL, 7);
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ldapConnection, LDAP_OPT_X_TLS_REQUIRE_CERT,0);

(or LDAP_OPT_X_TLS_ALLOW )

unfortunately this does not work either.

i don't see any options in the GUI to import certs.

any updates on this?

Admin Portal loop on fresh install

Hello,

I installed the tool to a new server. I configured mysql and apache. When I start the adminportel, I see a loop. Url is append de-DE and than next de-DE and so go on.
https://<ip address>/de-DE/de-DE/de-DE/de-DE/de-DE/de-DE/de-DE/de-DE/de-DE/de-DE/de-DE/de-DE/de-DE/de-DE/de-DE/de-DE/de-DE/de-DE/de-DE/de-DE/de-DE/de-DE/index.html
How can I debug this and where is the error?

Apache config:
`

<VirtualHost *:443>
ServerAdmin webmaster@ipskmanager
DocumentRoot /var/www/iPSK-Manager/adminportal
<Directory /var/www/iPSK-Manager/adminportal>
AllowOverride All

ErrorLog /var/log/httpd/admin-error.log
CustomLog /var/log/httpd/admin-access.log combined

SSLCertificateFile /etc/httpd/ssl/psk-portal-dev.crt
SSLCertificateKeyFile /etc/httpd/ssl/psk-portal-dev.key

SSLCertificateChainFile /etc/httpd/ssl/psk-portal-dev.chain

<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars

`

best regards,
Lars

Add ability to search endpoint list by attributes, including MAC address, name and email to the Sponsor Portal

Is your feature request related to a problem? Please describe.
The ability to search the endpoint list by attributes on the admin portal was added on fix#19. However, there are no filtering/search options on Sponsor Portals (manage.php). Sponsors struggle to find endpoints through the portal as the list goes bigger.

Describe the solution you'd like
Please, add endpoint search and sorting option by attributes (MAC address, name, email) to Sponsor Portal.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Install using non-standard mysql port

Describe the bug
A clear and concise description of what the bug is.
Installing the app using an offloaded mysql server with non standard port
To Reproduce
Steps to reproduce the behavior:

  1. Go to ' installer'
  2. under MySql Database Parameters
  3. MySQL Server IP/FQDN: fqdn:3308 also tried fpdn,3308
  4. Error 'MySQL Error: (1049) Unknown database '3308'

Expected behavior
I would expect that the installer would accept the port number to configure the instance of mysql

Screenshots
If applicable, add screenshots to help explain your problem.

Server : ipsk app

  • OS: Oracle Linux 8
    Server: MySql
  • OS: Oracle Linux 8
  • MySql version: 8

Additional context
Add any other context about the problem here.
As stated above attempting to install the ipsk app using an external MySql server using a non-standard port

Thanks,
Rene

How to upgrade

Hi.
I see there is a new version now.
How do I upgrade to this new version without breaking existing installation?

Thanks

First Entry in Endpoints not showing

Describe the bug
After Adding an Endpoint the GUI is not showing the entry.
grafik

The entry can be seen in the database
grafik

After adding a second entry the one before it will show up.
So basically I am always missing the newest entry.

Server:
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04]

Browsers:

  • Firefox Version 115.7.0esr (32-Bit)
  • Edge Version 121.0.2277.128 (64-Bit)

Any help would be appreciated

Filtering and additional columns on Endpoint List Page

Is your feature request related to a problem? Please describe.
When looking at the list of all endpoints, I'm unable to filter by any of the heading fields. I have to search, which then brings up the endpoints I'm looking for, but the search resets when I go back to the list. I also can't see who created each endpoint without clicking the 'view' button.

Describe the solution you'd like
Filtering ability for each of the column headings, and added columns for full name or email address for the user that created each endpoint record.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Recursive Query against AD/LDAP not working

Describe the bug
hi, we're using ipsk to authenticate against LDAP/AD and it's mostly working fine. recently, we experienced an error for some users who couldn't login to the sponsor portal.
we did some tests and figured out, that recursive lookups against the LDAP/AD are not working. so, all the users for a certain group must be in the same ou.

is it possible to fix/update this that small recursion is possible (propose 2-3 levels, or may a variable for this ?).

To Reproduce
create an external group and and assing:

External Group Distinguished Name:
cn=highlevel,OU=Groups,OU=Users,DC=d,DC=comapany,DC=ch

-> all users in group highlevel can login to the portal

Users in the OU "cn=lowerleven,OU=highlevel,OU=Groups,OU=Users,DC=d,DC=comapany,DC=ch" for example are not able to login. we assume that recursion is not done

in the Database, we found the following two related lines:
1676 2020-11-16 13:07:25 823c0a55-5fb26a43 /var/www/iPSK-Manager/supportfiles/portals/sponsorportal/default/login.inc.php 224 REQUEST:FAILURE{1}[user_authz_failure];ACTION:SPONSORAUTHZ;REMOTE-IP:xx.xx.xx.xx;USERNAME:xxxxxx;AUTHDIRECTORY:;
1677 2020-11-16 13:07:25 823c0a55-5fb26a43 /var/www/iPSK-Manager/supportfiles/portals/sponsorportal/default/index.inc.php 29 REQUEST:FAILURE[index_error]];ACTION:SPONSORPORTAL;CLIENTIP:xx.xx.xx.xx;HOSTNAME:hostname.domain;TCPPORT:8443;

Expected behavior
Users from "Highlevel" and "Lowerlevel" can login to the Portal

Screenshots
Not needed ..

Desktop (please complete the following information):

  • OS: Win10
  • Browser Chrome / Firefox
  • Version Current

Thank you for your effort with iPSK. Hightly appreciated.

Regards
Daniel

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.